Policy Framework Configuration Guide - Juniper Networks

Junos 10.4 Policy Framework Configuration Guide
burst-size-limit 125k;
}
then discard;
}
}
Apply the bandwidth policer to rate-limit IPv4 and IPv6 traffic on interface fe-0/1/1:
Configuring Load-Balance Groups
[edit interfaces fe-0/1/1 unit 0 family inet]
policer input new-police1;
[edit interfaces fe-0/1/1 unit 0 family inet6]
policer output new-police1;
In addition to including policers in firewall filters, you can configure a load-balance group
that is not part of a firewall filter configuration. A load-balance group contains interfaces
that all use the same next-hop group characteristic to load-balance the traffic.
To configure a load-balance group, include the load-balance-group statement at the
[edit firewall] hierarchy level:
Examples: Configuring Policing
[edit firewall]
load-balance-group group-name {
next-hop-group [ group-names ];
}
Next-hop groups allow you to include multiple interfaces used to forward duplicate
packets used in port mirroring. For more information about next-hop groups, see
“Configuring Next-Hop Groups” on page 367.
The following example shows a complete filter configuration containing a policer. It limits
all FTP traffic from a given source to certain rate limits. Traffic exceeding the limits is
discarded, and the remaining traffic is accepted and counted.
[edit]
firewall {
policer policer-1 {
if-exceeding {
bandwidth-limit 400k;
burst-size-limit 100k;
}
then {
discard;
}
}
term tcp-ftp {
from {
source-address 10.2.3/24;
protocol tcp;
destination-port ftp;
}
then {
310
Copyright © 2010, Juniper Networks, Inc.